Insider Threat Awareness Month was created back in 2019 by several U.S. federal agencies to emphasize the importance of safeguarding our nation by detecting, deterring and mitigating insider threats. It serves as an annual reminder on the dangers these threats pose to companies around the globe.
While the month has raised awareness to these risks, insider threats are still a very common problem for businesses, highlighting the need for continued action. According to IBM, 60% of companies have over 20 incidents of insider attacks a year and the cost related to these incidents was more than $2.7 million in 2020.
In honor of the month, experts have gathered their thoughts on preventing insider threats below:
Carl D’Halluin, CTO, Datadobi
“Predicting exactly when an insider threat will occur is nearly impossible. However, promoting awareness of the chances of an insider incident can help enterprises prepare themselves properly and enhance their overall data management strategy.
A successful insider attack can create long-lasting downtime for an organization which impacts its revenue and reputation. Enterprises need to have a plan in place to protect themselves from the aftereffects that come with an insider threat. As organizations increasingly rely on unstructured data to perform day-to-day business-critical functions, they need to maintain prompt access to their data in the event of a disruption.
An effective way to avoid downtime in the event of an insider threat is creating a ‘golden copy’ of business-critical data. Enterprises should maintain a secure golden copy of unstructured data in an air-gapped physical or cloud-based location. Limiting access to a golden copy in addition to a traditional backup strategy decreases the chances of downtime either from an accidental human error or malicious insider threat.”
Raffael Marty, SVP Cybersecurity Products, ConnectWise
“Insider threat is a complex and multi-faceted problem and while the topic most often comes up in the context of larger organizations, the general principles to prevent insider abuse are applicable to organizations of all scales. A comprehensive security program that covers both preparedness and visibility is the foundation to successful early identification of looming insider issues. Preparedness is about planning for the day that something happens and it should cover simple things like what the organization does when an employee leaves and goes all the way to establishing preparedness for a sabotage event like ransomware or electronic time bombs. Visibility is about having line of sight to potential adverse actions. It starts with monitoring devices, but expands to understanding what employees are doing and making sure they are trained on cyber security issues like phishing, which is still one of the main initial vectors of attacks.”
Steve Moore, Chief Security Strategist, Exabeam
“As organizations remain remote or begin their transition to hybrid work models, the risk of insider threats is more present than ever. Therefore, enterprises must recognize the severity of this form of attack.
Legitimate users performing unwanted or dangerous activity always prove more difficult to detect than typical external threats. Though most insider threats are unintentional and typically occur by accident, the damage they cause can still impact business outcomes and stability.
To add complexity to this already difficult problem, there have been examples of criminal attackers who now offer a cut of the proceeds if an employee assists in deploying ransomware. How many disgruntled or underappreciated employees might consider this opportunity?
When irregular behavior is detected, it should be taken seriously as a possible attack. Various indicators of insider threats exist, and a crucial step in protecting against them is recognizing those signs and establishing a threshold of normal for employees. Unfortunately, most organizations lack the capability to know normal human and device behavior.
Proper training feedback loops, visibility, and effective technology are the key to guarding against insider threats. In addition, utilizing behavioral analytics that can track and analyze user and machine data is critical.
Behavioral analytics technology can identify threats lurking within an organization by determining whether certain behaviors are normal or a potential cause for alarm. For example, has this employee from this department ever signed into this system before, anyone from her department? Unfortunately, finding the answer to these questions (and many more) during an incident can prove near impossible at worst and inconsistent at best without investing in the correct capabilities.
Different kinds of unusual activity that are typical signs of insider threats, such as large data uploads, credential abuse, or unusual access patterns, can be detected by behavioral analytics. As a result, the technology can find these suspicious behaviors among often unknowingly compromised insiders well before cybercriminals can gain access to critical systems — significantly decreasing the chances of data compromise.”
Alex Pezold, CEO, TokenEx
“Although standard controls such as logging and tracking, identity and access management, and internal policies and training are all essential elements of a robust security strategy to address insider threats, none can prevent the exposure of sensitive data in the event of a breach. Therefore, data protection is also a critical component of this value chain. We’ve seen our customer base use tokenization to satisfy their needs for greater data protection while enabling their Zero Trust principles more effectively.
“By using tokenization, companies can minimize risk by removing sensitive data from their environments so that it cannot be compromised if their internal systems are breached. So even if a security control fails and allows a database to be accessed, only tokens will be available to the intruder while the original sensitive data is safely stored offsite.”
Neil Jones, cybersecurity evangelist, Egnyte
“Responsible companies consistently update their cyberattack prevention plans and implement measures that protect them from falling victim to potential attacks. As vigilant as they might be, most organizations overlook an important contributor to cyberattacks: insider threats.
This is not surprising, because companies need to trust their employees in order to succeed. But with employee trust needs to come employer validation and monitoring of their users’ behavior.
While not all insider threats are malicious, they can be even more devastating than external attacks. Critical contributors to insider threats are employee turnover, poor data governance controls and negligence. If employees resign, they can extract information from your files that could benefit them in their new jobs with competitors, or even worse, publicly embarrass your organization. That process is referred to as exfiltration. A good first step to prevent “data leakage” is to utilize a data governance platform that leverages machine learning, so that sensitive information is available to the correct organizational users, based on their business “need to know.”
Negligence can be combated with proper training, and by limiting access to files across the company. There is no reason that someone in the finance department should have access to roadmapped product development plans, without justifying their request with the product development team first. Limiting the spread of internal information will also enable your system to prioritize threats to your sensitive data. The best way to thwart a potential attack is by having a proactive approach in place that detects misuse before it’s too late.”
Surya Varanasi, CTO, StorCentric:
“September 2021 marks the third year of National Insider Threat Awareness Month (NITAM), which according to the NITAM website aims to help prevent “exploitation of authorized access to cause harm to an organization or its resources.” While the month focuses on national security, this issue is of course inextricably linked with organizational security as well. When enterprises think about ransomware attacks, the focus is often on guarding against external threats, of which there are many. Yet companies must remember and be prepared to defend against threats from inside their organization too.
Three words hold the key to achieving this: protect, detect and recover. Given the prevailing stats, such as those from the Ponemon Institute, the likelihood of an insider threat existing and then leading to a successful data breach is high and growing rapidly. It is therefore critical that the recovery piece be firmly in place. Two highly critical best practices here relate to your data backups. Organizations must ensure they have unbreakable and immutable backups. The ideal solution(s) should include features like file fingerprinting, file redundancy, file serialization, secure timestamp, and auto file repair, as well as the necessary capabilities to ensure regulatory compliance. And the admin keys should be stored in another location for added protection. Next, the solution should provide immutability and allow the user to lock backups for a predetermined period of time: an “immutable retention period,” during which they cannot be deleted, moved or altered in any way.
Corporate defenses should be equal to the level of threat—which means assuming the worst and putting the best solution in place, particularly when it comes to ensuring recovery. By having impenetrable recovery solutions in place for internal threats as well as external ones, organizations can protect their most valuable data assets and ensure the longevity of their business.”
Danny Lopez, CEO, Glasswall
“It seems like every day there is a headline about another company falling victim to a cyberattack. What many companies fail to realize is that not all threats come from outside sources. In fact, insider threats have increased by 47% in the past two years. While it’s easier to assume it could never happen to your organization, taking responsibility for your security before an attack occurs is always the best option.
Not all insider threats are malicious. In fact, many victims are completely unaware that their credentials were compromised in the first place. Employee training can be helpful in some cases, but it often overlooks the sophistication of cybercriminals and can create a fear-based culture where people are afraid to come forward if they’ve made a mistake.
Your employees should not be your only line of defense against cyberattacks. Instead, your leadership teams should understand where your risk factors are and implement proactive technologies, such as Content Disarm and Reconstruction (CDR), which can deliver instant protection. In the face of increasing risk and intricate attacks, there’s no better time to make cybersecurity a top priority.”